Solved: ACI Default Static Route to FW - Help - Page 2

SJB0095 · ‎04-23-2018

Hi,

ACI: we are about to implement ACI and have stumbled across a problem - hoping someone here may be able to help.

We have a multipod setup over two sites connected with dark fibre, a checkpoint HA pair one at each site along with an internet breakout.

I was planning to connect these firewalls to a BD in ACI but need to be able to point the networks default route the the firewalls VIP address (for fail-over) and distribute this to over a separate WAN connection EIGRP.

is this currently possible? how????? :)

SJB0095 · ‎06-11-2018

@ Manuel Velasco - you are correct, there was a problem with the IPN multicast traffic, this has been fixed and your initial suggestion now works.

Dirk Feldhaus · ‎10-23-2018

Hello,

we're trying the same setup. How is the routing on the Checkpoint configured? Specifically, which IP address are you using as next hop into the ACI networks and how do you make sure that this next hop is reachable if the firewall fails over or a leaf switch fails?

Thanks

SJB0095 · ‎10-23-2018

Hi,

I setup the same IP Address as a secondary IP on the L3out on both leaf nodes (under logical interface profiles).

Static routes on the FW's point to that IP Address.

Highly advise you use a different subnet from other L3outs - don't put multiply firewalls in the same VLAN.

Dirk Feldhaus · ‎10-23-2018

Thanks for your quick reply. The virtual IP works.